Use NGINX for AD Authentication of both API users and Web Users

nginx active-directory authentication
8,698

There is no thing like an AD Authentication. What you are looking for is Kerberos authentication via GSSAPI. To get such an authentication for browser SPNEGO is used. I just enumerate all these terms to give you a better starting point for further research.

The link you provided has nothing to do with SSO. It only describes a method to authenticate using the ADs LDAP interface.

For the type of authentication you want to implement you have to use the ADs Kerberos interface.

nginx does not support Kerberos out of the box. As far as I know spnego-http-auth-nginx-module is the least experimental way to implement Kerberos authentication in nginx.

Somewhat beyond the scope of your question: Apache has a very mature Kerberos module mod_auth_kerb and the somewhat newer mod_auth_gssapi.

This is not meant as a recommandation. My personal experience is mostly limited to using Kerberos in Java applications behind a Apache/mod_proxy_ajp/Tomcat facade.

Share:
8,698

Related videos on Youtube

Andrew
Author by

Andrew

Updated on September 18, 2022

Comments

  • Andrew
    Andrew almost 2 years

    We are currently using an NGINX server as a reverse proxy for a variety of services and applications. It is handling and proxying traffic to a web application we have created, an API Proxy server, as well as a separate programmatic API. Below is a sample diagram showing the resources behind the proxy. 

    ​   foobar.com
    |-foobar.com/api
    |-foobar.com/webapp
    |-foobar.com/proxy

    We have a corporate AD system with Single-Sign On capabilities. I am trying to integrate this with the NGINX reverse proxy to authenticate users when the access one or more of these services behind NGINX.

    I have seen posts like https://www.nginx.com/blog/nginx-plus-authenticate-users/ describe how to have NGINX use AD Authentication of users by having users fill out a login form, but this will not work for our use case. This is because some of these users will be interacting with the API service and the proxy service via HTTP CRUD operations and/or curl commands. In addtion, these API and proxy users may belong to other applications and not human beings. In that sense, they are fully programmatic interactions.

    How can I configure NGINX to support both Human and Programmatic AD Authentication?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Authenticate Oracle Database with Active Directory Users
nginx auth_basic "Restricted" prompting login on every request
C# / ASP.NET / AD - "The specified directory service attribute or value does not exist."
C# netcore ldap authentication using Novell.Directory.Ldap.NETStandard library
How to check AD user credentials when the user password is expired or "user must change password at next logon"
Securing a Docker container with HTTP BASIC AUTH
Auto Signin with Active Directory Account in c# ASP.Net Website
SVN + SASL + ActiveDirectory: How to
Java ldap authentication issue
Rails Authentication with Active Directory